---
title: "7 React Router security vulnerabilities: what you need to know"
description: "Seven React Router vulnerabilities have been disclosed. Two are DoS with minimal Netlify impact. Affected sites should upgrade to react-router 7.15.1."
source: "https://www.netlify.com/changelog/2026-06-02-react-router-security-vulnerabilities/"
last_updated: "2026-07-15T11:40:16.000Z"
---
The React Router team has disclosed seven security vulnerabilities. Here’s what Netlify customers need to know.

## Vulnerabilities

Vulnerability

Package

Affected versions

Fixed in

[GHSA-8x6r-g9mw-2r78](https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78) — DoS via `__manifest` endpoint

`react-router`

7.0.0–7.14.x

7.15.0

[GHSA-rxv8-25v2-qmq8](https://github.com/remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8) — DoS via single-fetch request body

`react-router`

7.0.0–7.13.x

7.14.0

[GHSA-8646-j5j9-6r62](https://github.com/remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62) — XSS via `javascript:` redirect in unstable RSC

`react-router`

7.7.0–7.13.1

7.13.2

[GHSA-49rj-9fvp-4h2h](https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h) — RCE when chained with prototype pollution

`react-router`

7.5.2–7.14.1

7.14.2

[GHSA-2j2x-hqr9-3h42](https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42) — Protocol-relative open redirect

`react-router`

7.0.0–7.14.0

7.14.1

[GHSA-f22v-gfqf-p8f3](https://github.com/remix-run/react-router/security/advisories/GHSA-f22v-gfqf-p8f3) — Stored XSS in prerendered redirect HTML

`@react-router/dev`

7.0.0–7.13.1

7.13.2

[GHSA-84g9-w2xq-vcv6](https://github.com/remix-run/react-router/security/advisories/GHSA-84g9-w2xq-vcv6) — CSRF check bypassed for PUT/PATCH/DELETE

`react-router`

7.12.0–7.15.0

7.15.1

## Impact on Netlify

### GHSA-8x6r-g9mw-2r78 and GHSA-rxv8-25v2-qmq8 (denial of service)

These are server-side denial-of-service (DoS) vulnerabilities. **On Netlify, these have minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.

### GHSA-8646-j5j9-6r62 (XSS in unstable RSC)

This vulnerability affects apps using the experimental `unstable_*` RSC APIs where an attacker can control a redirect target. Only apps using these unstable APIs are affected.

**Regardless of hosting provider, affected apps passing untrusted input into RSC redirect calls may be vulnerable.**

### GHSA-49rj-9fvp-4h2h (RCE when chained)

**This vulnerability is not directly exploitable against React Router alone.** Reaching the vulnerable code path requires the application to first be independently vulnerable to a prototype pollution attack.

### GHSA-2j2x-hqr9-3h42 (open redirect)

Apps that redirect users to attacker-supplied URLs with the intent to restrict them to the same origin may inadvertently allow protocol-relative redirects to external origins.

**Regardless of hosting provider, all affected apps passing untrusted input to `redirect()` may be vulnerable.**

### GHSA-f22v-gfqf-p8f3 (stored XSS in prerendering)

This vulnerability affects apps using the prerendering feature (`prerender: [...]` in `react-router.config.ts`). If any redirect target baked into a prerendered build originates from external or attacker-controlled data, the static artifact remains affected until a fresh build is run with a patched version.

**Regardless of hosting provider, all affected apps using prerendering with externally sourced redirect targets may be vulnerable.**

### GHSA-84g9-w2xq-vcv6 (CSRF bypass for PUT/PATCH/DELETE)

The CSRF origin check introduced in React Router 7.12.0 only applied to `POST` requests on the document-request path, leaving `PUT`, `PATCH`, and `DELETE` unchecked. In practice, exploitation additionally requires the app to have explicitly opened CORS for those methods and to be issuing session cookies with `SameSite=None`.

**Regardless of hosting provider, this only poses a meaningful risk in apps with permissive cross-origin configurations.**

## What should I do?

We strongly recommend upgrading as soon as possible to patched releases:

-   `react-router` 7.15.1 or later
-   `@react-router/dev` 7.13.2 or later (if using prerendering)

If your app uses prerendering, trigger a fresh build after upgrading to regenerate any affected static assets.

Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).